Microsoft taps service for phishing data

Microsoft's research arm has been quietly collecting data through an add-on service to its Windows Live Toolbar to determine how often web users actually fall prey to phishing attacks.

Elizabeth Montalbano
October 5, 2007

Share

Twitter

Facebook

LinkedIn

Google Plus

Microsoft's research arm has been quietly collecting data through an add-on service to its Windows Live Toolbar to determine how often web users actually fall prey to phishing attacks.

The company released its research findings in a presentation at the Anti-Phishing Work Group (APWG) E-Crimes Summit in Pittsburgh.

Over a three-month time period last year, Microsoft Research tracked password reuse among more than 500,000 web users who downloaded the Phish Detective, part of the Windows Live OneCare Advisor package for the Windows Live Toolbar. The research was Microsoft's first attempt to determine how many users with the service were falling prey to phishing attacks, said Cormac Herley, a researcher at Microsoft Research. He presented findings of a paper about the research he co-wrote with fellow Microsoft researcher Dinei Florencio.

The research found that about 0.4% of web users per year give up information to phishing sites, though it is not clear how much money is being lost in those attacks, he said.

In an interview following his presentation, Herley said the challenge researchers had when determining how often phishing occurs is that, compared to the number of people that use e-mail and surf the web safely, phishing is a rare occurrence.

"The problem with phishing is that when you're trying to estimate something that's rare it gets hard," he said.

Tracking password reuse between sites was a logical way to try to determine phishing attacks because it mimicked what happens when a user falls into a phishing trap, Herley said.

When users are successfully phished, they will sign into a phishing site with the typical user name and password they would use if they actually were on the site being faked. A phisher would immediately reuse that information to sign in to the actual banking site to gain access to the users account.

Phish Detective sends URL information to servers at Microsoft when users with Phish Detective use the same password to sign in at two different sites. Some of these sites are legitimate instances of reuse – many web users have the same password for more than one website they commonly visit. However, some are not, and this is the activity used to detect phishing, Herley said.

It was easy to track which re-use seemed legitimate – for example, when a user would sign in with the same password at eBay and then sign in to a Yahoo Mail account, Herley said. It was also fairly simple to determine when a password was being reused at a likely phishing site because the password would be used at a "site you've never heard of before," he said.

Microsoft said it took great pains to ensure it is not violating users' privacy by collecting data through Phish Detective. The company does not extract specific user or password information through the tool; it only tracks instances of password reuse and logs URL information. Microsoft also had the tool audited by a third party to maintain privacy standards.

Herley declined to comment on whether Microsoft would expand its use of Phish Detective to other products, such as Internet Explorer (IE), which also has anti-phishing capabilities. IE7, the browser's current version, includes an anti-phishing filter that sends information about phishing sites to Microsoft. IE8 is due out in late 2008 or early 2009, according to Microsoft's current schedule for the product.